npm - verification-layer - Versions diffs - 0.24.4 → 0.25.0 - Mend

verification-layer 0.24.4 → 0.25.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (111) hide show

package/README.md +42 -2
package/dist/ai/cache.js +2 -2
package/dist/ai/cache.js.map +1 -1
package/dist/ai/config.d.ts +1 -1
package/dist/ai/config.js +1 -1
package/dist/ai/config.js.map +1 -1
package/dist/ai/rules/prompts/audit-logging.js +1 -1
package/dist/ai/rules/rule-runner.d.ts.map +1 -1
package/dist/ai/rules/rule-runner.js.map +1 -1
package/dist/ai/rules/triage.d.ts.map +1 -1
package/dist/ai/rules/triage.js +1 -1
package/dist/ai/rules/triage.js.map +1 -1
package/dist/ai/scanner.d.ts.map +1 -1
package/dist/ai/scanner.js +1 -1
package/dist/ai/scanner.js.map +1 -1
package/dist/cli.js +77 -13
package/dist/cli.js.map +1 -1
package/dist/exclusions.d.ts +13 -0
package/dist/exclusions.d.ts.map +1 -0
package/dist/exclusions.js +27 -0
package/dist/exclusions.js.map +1 -0
package/dist/index.d.ts +0 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +0 -1
package/dist/index.js.map +1 -1
package/dist/marketplace/installer.d.ts.map +1 -1
package/dist/marketplace/installer.js +3 -3
package/dist/marketplace/installer.js.map +1 -1
package/dist/marketplace/registry.d.ts.map +1 -1
package/dist/marketplace/registry.js +3 -1
package/dist/marketplace/registry.js.map +1 -1
package/dist/reporters/auditor-report.d.ts +2 -1
package/dist/reporters/auditor-report.d.ts.map +1 -1
package/dist/reporters/auditor-report.js +203 -16
package/dist/reporters/auditor-report.js.map +1 -1
package/dist/reporters/branding.d.ts +39 -0
package/dist/reporters/branding.d.ts.map +1 -0
package/dist/reporters/branding.js +124 -0
package/dist/reporters/branding.js.map +1 -0
package/dist/reporters/finding-presentation.d.ts +74 -0
package/dist/reporters/finding-presentation.d.ts.map +1 -0
package/dist/reporters/finding-presentation.js +172 -0
package/dist/reporters/finding-presentation.js.map +1 -0
package/dist/reporters/index.d.ts.map +1 -1
package/dist/reporters/index.js +50 -40
package/dist/reporters/index.js.map +1 -1
package/dist/reporters/scan-pdf-report.d.ts +23 -0
package/dist/reporters/scan-pdf-report.d.ts.map +1 -0
package/dist/reporters/scan-pdf-report.js +326 -0
package/dist/reporters/scan-pdf-report.js.map +1 -0
package/dist/scan.d.ts +11 -0
package/dist/scan.d.ts.map +1 -1
package/dist/scan.js +46 -1
package/dist/scan.js.map +1 -1
package/dist/scanners/api-security/index.js +2 -2
package/dist/scanners/api-security/index.js.map +1 -1
package/dist/scanners/authentication/index.d.ts.map +1 -1
package/dist/scanners/authentication/index.js +32 -27
package/dist/scanners/authentication/index.js.map +1 -1
package/dist/scanners/configuration/index.js +2 -2
package/dist/scanners/configuration/index.js.map +1 -1
package/dist/scanners/credentials/index.d.ts.map +1 -1
package/dist/scanners/credentials/index.js +9 -4
package/dist/scanners/credentials/index.js.map +1 -1
package/dist/scanners/credentials/index.test.js +3 -3
package/dist/scanners/credentials/patterns.d.ts.map +1 -1
package/dist/scanners/credentials/patterns.js +4 -4
package/dist/scanners/credentials/patterns.js.map +1 -1
package/dist/scanners/errors/index.js +2 -2
package/dist/scanners/errors/index.js.map +1 -1
package/dist/scanners/hipaa2026/index.d.ts.map +1 -1
package/dist/scanners/hipaa2026/index.js +8 -20
package/dist/scanners/hipaa2026/index.js.map +1 -1
package/dist/scanners/hipaa2026/index.test.js +2 -2
package/dist/scanners/hipaa2026/patterns.d.ts.map +1 -1
package/dist/scanners/hipaa2026/patterns.js +18 -5
package/dist/scanners/hipaa2026/patterns.js.map +1 -1
package/dist/scanners/operational/index.d.ts.map +1 -1
package/dist/scanners/operational/index.js +27 -27
package/dist/scanners/operational/index.js.map +1 -1
package/dist/scanners/rbac/index.js +2 -2
package/dist/scanners/rbac/index.js.map +1 -1
package/dist/scanners/rbac/index.test.js +3 -0
package/dist/scanners/rbac/index.test.js.map +1 -1
package/dist/scanners/rbac/patterns.d.ts.map +1 -1
package/dist/scanners/rbac/patterns.js +10 -3
package/dist/scanners/rbac/patterns.js.map +1 -1
package/dist/scanners/revocation/index.js +2 -2
package/dist/scanners/revocation/index.js.map +1 -1
package/dist/scanners/sanitization/index.d.ts.map +1 -1
package/dist/scanners/sanitization/index.js +2 -3
package/dist/scanners/sanitization/index.js.map +1 -1
package/dist/scanners/skills/index.js +1 -1
package/dist/scanners/skills/index.js.map +1 -1
package/dist/scanners/skills/patterns.js +3 -3
package/dist/scanners/skills/patterns.js.map +1 -1
package/dist/scanners/utils.d.ts +44 -0
package/dist/scanners/utils.d.ts.map +1 -0
package/dist/scanners/utils.js +77 -0
package/dist/scanners/utils.js.map +1 -0
package/dist/training/index.js +1 -1
package/dist/training/index.js.map +1 -1
package/dist/types.d.ts +38 -1
package/dist/types.d.ts.map +1 -1
package/dist/utils/scan-history.js +2 -2
package/dist/utils/scan-history.js.map +1 -1
package/package.json +2 -2
package/dist/scan-code.d.ts +0 -12
package/dist/scan-code.d.ts.map +0 -1
package/dist/scan-code.js +0 -34
package/dist/scan-code.js.map +0 -1

package/dist/reporters/finding-presentation.js ADDED Viewed

@@ -0,0 +1,172 @@
+const SEVERITY_RANK = {
+    critical: 0,
+    high: 1,
+    medium: 2,
+    low: 3,
+    info: 4,
+};
+/**
+ * A finding is "proposed" when its HIPAA reference cites the NPRM (the proposed
+ * 2026 Security Rule), not a current obligation. Such findings are still shown,
+ * but they must not inflate a group's headline severity.
+ */
+export function isProposedFinding(f) {
+    return /\bNPRM\b/i.test(f.hipaaReference ?? '');
+}
+/**
+ * Split findings into CURRENT obligations and PROPOSED (NPRM) ones. Proposed
+ * findings are rendered in their own "Upcoming Requirements" subsection and are
+ * excluded from the current-severity Scan Summary, so a proposed rule is never
+ * shown as a current red/critical violation.
+ */
+export function partitionFindingsByStatus(findings) {
+    const current = [];
+    const proposed = [];
+    for (const f of findings) {
+        (isProposedFinding(f) ? proposed : current).push(f);
+    }
+    return { current, proposed };
+}
+/** Stable ordering for the proposed-requirements list: by file, line, title. */
+export function sortProposedFindings(findings) {
+    return [...findings].sort((a, b) => a.file.localeCompare(b.file) || (a.line ?? 0) - (b.line ?? 0) || a.title.localeCompare(b.title));
+}
+/** Highest severity among the given findings; null if the list is empty. */
+function highestSeverity(findings) {
+    let best = null;
+    for (const f of findings) {
+        if (best === null || SEVERITY_RANK[f.severity] < SEVERITY_RANK[best])
+            best = f.severity;
+    }
+    return best;
+}
+/**
+ * Group findings by (file + line + rule category). Several rules that flag the
+ * same line for the SAME reason (e.g. all PHI-in-logs on route.ts:36) collapse
+ * into one entry; unrelated rules on the same line (e.g. MFA + backup) stay as
+ * separate rows. A single-member group renders as a normal row.
+ *
+ * The headline severity reflects only CURRENT requirements — proposed (NPRM)
+ * findings never raise it (they stay listed inside with their own badge). When
+ * every member is proposed, the highest proposed severity is used.
+ *
+ * Groups are ordered by group severity (critical first), then file, line, and
+ * category. The total member count always equals the input length — nothing is
+ * dropped.
+ */
+export function groupFindingsByLocation(findings) {
+    const byKey = new Map();
+    for (const f of findings) {
+        const key = `${f.file}::${f.line ?? ''}::${f.category}`;
+        const existing = byKey.get(key);
+        if (existing)
+            existing.push(f);
+        else
+            byKey.set(key, [f]);
+    }
+    const groups = [];
+    for (const [key, members] of byKey) {
+        const sorted = [...members].sort((a, b) => SEVERITY_RANK[a.severity] - SEVERITY_RANK[b.severity] || a.title.localeCompare(b.title));
+        const current = sorted.filter(f => !isProposedFinding(f));
+        // Headline severity: highest among current findings; if the group is
+        // entirely proposed, fall back to the highest proposed severity.
+        const severity = highestSeverity(current.length > 0 ? current : sorted);
+        groups.push({
+            key,
+            file: sorted[0].file,
+            line: sorted[0].line,
+            category: sorted[0].category,
+            severity,
+            members: sorted,
+        });
+    }
+    groups.sort((a, b) => SEVERITY_RANK[a.severity] - SEVERITY_RANK[b.severity] ||
+        a.file.localeCompare(b.file) ||
+        (a.line ?? 0) - (b.line ?? 0) ||
+        a.category.localeCompare(b.category));
+    return groups;
+}
+/** Count location-groups by their group severity (for summary/filter labels). */
+export function countGroupsBySeverity(groups) {
+    const counts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+    for (const g of groups)
+        counts[g.severity]++;
+    return counts;
+}
+/**
+ * Official 45 CFR Part 164 control names, keyed by section. Used only to fill in
+ * the control name for findings whose hipaaReference is a bare citation
+ * (e.g. "§164.502"). Findings that already carry a name keep their own wording.
+ */
+const SECTION_NAMES = {
+    '164.308(a)(1)(ii)(A)': 'Risk Analysis',
+    '164.308(a)(7)(ii)(A)': 'Data Backup Plan',
+    '164.308(a)(8)': 'Evaluation',
+    '164.312(a)(1)': 'Access Control',
+    '164.312(a)(2)(i)': 'Unique User Identification',
+    '164.312(a)(2)(iii)': 'Automatic Logoff',
+    '164.312(a)(2)(iv)': 'Encryption and Decryption',
+    '164.312(b)': 'Audit Controls',
+    '164.312(c)': 'Integrity',
+    '164.312(d)': 'Person or Entity Authentication',
+    '164.312(e)(1)': 'Transmission Security',
+    '164.502': 'Uses and Disclosures of PHI: General Rules',
+    '164.502(b)': 'Minimum Necessary',
+    '164.514': 'De-identification and Minimum Necessary',
+    '164.530(j)': 'Documentation',
+};
+/** Progressively strip trailing "(...)" groups to find a fallback name. */
+function nameForSection(section) {
+    let candidate = section;
+    while (candidate) {
+        if (SECTION_NAMES[candidate])
+            return SECTION_NAMES[candidate];
+        const stripped = candidate.replace(/\([^)]*\)$/, '');
+        if (stripped === candidate)
+            break;
+        candidate = stripped;
+    }
+    return undefined;
+}
+function normalizeOneRef(raw) {
+    const trimmed = raw.trim();
+    if (!trimmed || trimmed === '-' || trimmed === '—')
+        return null;
+    const sectionMatch = trimmed.match(/(\d{3}\.\d+(?:\s*\([^)]*\))*)/);
+    if (!sectionMatch)
+        return trimmed; // unrecognised shape — leave untouched
+    const section = sectionMatch[1].replace(/\s+/g, '');
+    // NPRM refs cite a PROPOSED rule, not a current obligation — keep that
+    // distinction explicit so the report never presents a proposed requirement
+    // as enforceable.
+    const isNprm = /\bNPRM\b/i.test(trimmed);
+    // Inline control name = text after a dash delimiter, if present.
+    const dashMatch = trimmed.match(/[-–—]\s*(.+)$/);
+    const name = (dashMatch ? dashMatch[1].trim() : undefined) ?? nameForSection(section);
+    const base = name ? `45 CFR §${section} — ${name}` : `45 CFR §${section}`;
+    return isNprm ? `${base} (NPRM — proposed rule)` : base;
+}
+/**
+ * Normalize any hipaaReference string to one canonical style:
+ * "45 CFR §164.312(c) — Integrity Controls".
+ *
+ * Handles the three styles currently emitted by the scanners:
+ *   - already-full  "45 CFR §164.312(c) - Integrity Controls"
+ *   - bare section  "§164.502, §164.514"
+ *   - NPRM-prefixed "NPRM §164.312(d) - Person or Entity Authentication"
+ *     → kept distinct as a proposed rule:
+ *       "45 CFR §164.312(d) — Person or Entity Authentication (NPRM — proposed rule)"
+ *
+ * Multi-section refs (comma-separated) are expanded into each canonical ref,
+ * joined with "; ". The original string is never mutated on the finding object.
+ */
+export function formatHipaaRef(raw) {
+    if (!raw)
+        return '—';
+    // Split only at commas that begin a new citation, so control names that
+    // happen to contain a comma are not broken apart.
+    const parts = raw.split(/,\s*(?=(?:45 CFR|NPRM|§|\d{3}\.))/);
+    const normalized = parts.map(normalizeOneRef).filter((p) => Boolean(p));
+    return normalized.length > 0 ? normalized.join('; ') : '—';
+}
+//# sourceMappingURL=finding-presentation.js.map

package/dist/reporters/finding-presentation.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"finding-presentation.js","sourceRoot":"","sources":["../../src/reporters/finding-presentation.ts"],"names":[],"mappings":"AAYA,MAAM,aAAa,GAA6B;IAC9C,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACR,CAAC;AAEF;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,CAAU;IAC1C,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC;AAClD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,yBAAyB,CAAC,QAAmB;IAC3D,MAAM,OAAO,GAAc,EAAE,CAAC;IAC9B,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;AAC/B,CAAC;AAED,gFAAgF;AAChF,MAAM,UAAU,oBAAoB,CAAC,QAAmB;IACtD,OAAO,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,CACvB,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,CAC1G,CAAC;AACJ,CAAC;AAeD,4EAA4E;AAC5E,SAAS,eAAe,CAAC,QAAmB;IAC1C,IAAI,IAAI,GAAoB,IAAI,CAAC;IACjC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,IAAI,KAAK,IAAI,IAAI,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,IAAI,CAAC;YAAE,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC;IAC1F,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,uBAAuB,CAAC,QAAmB;IACzD,MAAM,KAAK,GAAG,IAAI,GAAG,EAAqB,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,IAAI,EAAE,KAAK,CAAC,CAAC,QAAQ,EAAE,CAAC;QACxD,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,QAAQ;YAAE,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;;YAC1B,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,MAAM,GAAoB,EAAE,CAAC;IACnC,KAAK,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,IAAI,KAAK,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,CAC9B,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,CAClG,CAAC;QACF,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC;QAC1D,qEAAqE;QACrE,iEAAiE;QACjE,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAE,CAAC;QACzE,MAAM,CAAC,IAAI,CAAC;YACV,GAAG;YACH,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI;YACpB,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI;YACpB,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ;YAC5B,QAAQ;YACR,OAAO,EAAE,MAAM;SAChB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,CAAC,IAAI,CACT,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACP,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC;QACrD,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC;QAC5B,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;QAC7B,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CACvC,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,qBAAqB,CAAC,MAAuB;IAC3D,MAAM,MAAM,GAA6B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IAC9F,KAAK,MAAM,CAAC,IAAI,MAAM;QAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;IAC7C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,MAAM,aAAa,GAA2B;IAC5C,sBAAsB,EAAE,eAAe;IACvC,sBAAsB,EAAE,kBAAkB;IAC1C,eAAe,EAAE,YAAY;IAC7B,eAAe,EAAE,gBAAgB;IACjC,kBAAkB,EAAE,4BAA4B;IAChD,oBAAoB,EAAE,kBAAkB;IACxC,mBAAmB,EAAE,2BAA2B;IAChD,YAAY,EAAE,gBAAgB;IAC9B,YAAY,EAAE,WAAW;IACzB,YAAY,EAAE,iCAAiC;IAC/C,eAAe,EAAE,uBAAuB;IACxC,SAAS,EAAE,4CAA4C;IACvD,YAAY,EAAE,mBAAmB;IACjC,SAAS,EAAE,yCAAyC;IACpD,YAAY,EAAE,eAAe;CAC9B,CAAC;AAEF,2EAA2E;AAC3E,SAAS,cAAc,CAAC,OAAe;IACrC,IAAI,SAAS,GAAG,OAAO,CAAC;IACxB,OAAO,SAAS,EAAE,CAAC;QACjB,IAAI,aAAa,CAAC,SAAS,CAAC;YAAE,OAAO,aAAa,CAAC,SAAS,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,SAAS,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;QACrD,IAAI,QAAQ,KAAK,SAAS;YAAE,MAAM;QAClC,SAAS,GAAG,QAAQ,CAAC;IACvB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,IAAI,CAAC,OAAO,IAAI,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAEhE,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACpE,IAAI,CAAC,YAAY;QAAE,OAAO,OAAO,CAAC,CAAC,uCAAuC;IAE1E,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACpD,uEAAuE;IACvE,2EAA2E;IAC3E,kBAAkB;IAClB,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACzC,iEAAiE;IACjE,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IACjD,MAAM,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,cAAc,CAAC,OAAO,CAAC,CAAC;IAEtF,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,WAAW,OAAO,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,WAAW,OAAO,EAAE,CAAC;IAC1E,OAAO,MAAM,CAAC,CAAC,CAAC,GAAG,IAAI,yBAAyB,CAAC,CAAC,CAAC,IAAI,CAAC;AAC1D,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,cAAc,CAAC,GAA8B;IAC3D,IAAI,CAAC,GAAG;QAAE,OAAO,GAAG,CAAC;IACrB,wEAAwE;IACxE,kDAAkD;IAClD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;IAC7D,MAAM,UAAU,GAAG,KAAK,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IACrF,OAAO,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;AAC7D,CAAC"}

package/dist/reporters/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/reporters/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAU,aAAa,~~EAA4F~~,MAAM,aAAa,CAAC;AAitG/J,wBAAsB,cAAc,CAClC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,IAAI,CAAC,~~CA6Bf~~"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/reporters/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAU,aAAa,EAA4E,MAAM,aAAa,CAAC;AAitG/I,wBAAsB,cAAc,CAClC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,IAAI,CAAC,CAsCf"}

package/dist/reporters/index.js CHANGED Viewed

@@ -3,6 +3,8 @@ import * as path from 'path';
 import chalk from 'chalk';
 import { getRemediationGuide } from './remediation-guides.js';
 import { getStackSpecificGuides } from '../stack-detector/stack-guides.js';
+import { brandFooterText, brandPreparedBy, logoDataUri } from './branding.js';
+import { generateScanPdf } from './scan-pdf-report.js';
 const PACKAGE_CATEGORIES = {
     // Frameworks
     'next': { category: 'framework', provider: 'Next.js Framework' },
@@ -134,22 +136,6 @@ async function generateAssetInventory(targetPath) {
         totalAssets: assets.length,
     };
 }
-function generateAssetInventoryCsv(inventory) {
-    const header = 'ID,Name,Version,Type,Category,Provider,Responsible Person,Location\n';
-    const rows = inventory.assets.map(asset => {
-        return [
-            asset.id,
-            `"${asset.name}"`,
-            `"${asset.version}"`,
-            asset.type,
-            asset.category,
-            `"${asset.provider}"`,
-            `"${asset.responsiblePerson}"`,
-            `"${asset.location}"`,
-        ].join(',');
-    }).join('\n');
-    return header + rows;
-}
 async function analyzeDataFlow(targetPath, findings) {
     const entryPoints = [];
     const dataStores = [];
@@ -618,7 +604,7 @@ async function getScoreTrending(targetPath, currentScore) {
         }
         return { direction, previousScore, change };
     }
-    catch (error) {
+    catch {
         // No history available
         return null;
     }
@@ -900,6 +886,11 @@ async function generateHtml(report, targetPath, options) {
     const complianceScoreHtml = await renderComplianceScoreHtml(report, targetPath);
     const assetInventoryHtml = await renderAssetInventoryHtml(targetPath);
     const dataFlowMapHtml = await renderDataFlowMapHtml(targetPath, report.findings);
+    // White-label branding (no-op when no brand is supplied → output unchanged).
+    const brandLogo = logoDataUri(options.branding);
+    const hasBrand = Boolean(options.branding?.name || brandLogo);
+    const brandPreparedByLabel = brandPreparedBy(options.branding);
+    const brandFooterLine = brandFooterText(options.branding);
     const severityColors = {
         critical: '#dc2626',
         high: '#ea580c',
@@ -930,6 +921,17 @@ async function generateHtml(report, targetPath, options) {
     body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #1f2937; background: #f9fafb; padding: 2rem; }
     .container { max-width: 1400px; margin: 0 auto; }
+    /* White-label branding */
+    .brand-header { display: flex; align-items: center; gap: 1rem; margin-bottom: 1.5rem; padding-bottom: 1.5rem; border-bottom: 1px solid #e5e7eb; }
+    .brand-header img.brand-logo { max-height: 64px; max-width: 220px; object-fit: contain; }
+    .brand-header .brand-prepared-by { color: #6b7280; font-size: 0.95rem; }
+    .brand-header .brand-prepared-by strong { color: #111827; }
+    .brand-page-footer { display: none; }
+    @media print {
+      .brand-page-footer { display: block; position: fixed; bottom: 0; left: 0; right: 0; text-align: center; font-size: 0.7rem; color: #6b7280; padding: 0.4rem 0; }
+      @page { margin-bottom: 2.2cm; }
+    }
     /* Executive Summary Styles */
     .executive-summary-section { margin: 0 0 3rem 0; padding: 2.5rem; background: white; border-radius: 16px; box-shadow: 0 4px 6px rgba(0,0,0,0.07); }
     .exec-header h1 { color: #111827; font-size: 2.5rem; margin: 0 0 0.5rem 0; }
@@ -1315,6 +1317,12 @@ async function generateHtml(report, targetPath, options) {
 </head>
 <body>
   <div class="container">
+    ${hasBrand ? `
+    <div class="brand-header">
+      ${brandLogo ? `<img src="${brandLogo}" alt="${escapeHtml(brandPreparedByLabel)} logo" class="brand-logo">` : ''}
+      <div class="brand-prepared-by">Prepared by <strong>${escapeHtml(brandPreparedByLabel)}</strong></div>
+    </div>` : ''}
     ${renderExecutiveSummaryHtml(report)}
     <h1>HIPAA Compliance Report</h1>
@@ -1393,10 +1401,12 @@ async function generateHtml(report, targetPath, options) {
     </div>
     <footer style="margin-top: 3rem; padding-top: 1rem; border-top: 1px solid #e5e7eb; color: #6b7280; font-size: 0.875rem;">
+      ${hasBrand ? `<p><strong>${escapeHtml(brandFooterLine)}</strong></p>` : ''}
       <p>Generated by <strong>vlayer</strong> v0.2.0 - HIPAA Compliance Scanner for Healthcare Applications</p>
       <p>Run with <code>--fix</code> flag to automatically fix issues marked as "Auto-fixable"</p>
     </footer>
   </div>
+  ${hasBrand ? `<div class="brand-page-footer">${escapeHtml(brandFooterLine)}</div>` : ''}
 </body>
 </html>`;
 }
@@ -1797,12 +1807,9 @@ function renderExecutiveSummaryHtml(report) {
 }
 function renderBackupRecoveryGuideHtml(stack) {
     let guideContent = '';
-    let dbType = 'unknown';
-    let dbDisplay = stack?.databaseDisplay || 'Unknown';
     // Detect database type from stack
     const database = stack?.database || 'unknown';
     if (database.includes('supabase')) {
-        dbType = 'supabase';
         guideContent = `
       <div class="backup-guide-card">
         <div class="backup-guide-header">
@@ -1853,10 +1860,10 @@ function renderBackupRecoveryGuideHtml(stack) {
               <strong>Additional Manual Backup (Optional)</strong>
               <div class="backup-code-block">
                 <pre><code># Using pg_dump for additional backup
-pg_dump "postgresql://[user]:[password]@[host]:[port]/[database]" > backup_\$(date +%Y%m%d).sql
+pg_dump "postgresql://[user]:[password]@[host]:[port]/[database]" > backup_$(date +%Y%m%d).sql
 # Upload to secure offsite storage
-aws s3 cp backup_\$(date +%Y%m%d).sql s3://your-backup-bucket/</code></pre>
+aws s3 cp backup_$(date +%Y%m%d).sql s3://your-backup-bucket/</code></pre>
               </div>
             </div>
           </div>
@@ -1865,7 +1872,6 @@ aws s3 cp backup_\$(date +%Y%m%d).sql s3://your-backup-bucket/</code></pre>
     `;
     }
     else if (database.includes('prisma') || database.includes('postgres')) {
-        dbType = 'postgresql';
         guideContent = `
       <div class="backup-guide-card">
         <div class="backup-guide-header">
@@ -1883,23 +1889,23 @@ aws s3 cp backup_\$(date +%Y%m%d).sql s3://your-backup-bucket/</code></pre>
 # PostgreSQL Backup Script for HIPAA Compliance
 BACKUP_DIR="/path/to/backups"
-TIMESTAMP=\$(date +%Y%m%d_%H%M%S)
+TIMESTAMP=$(date +%Y%m%d_%H%M%S)
 BACKUP_FILE="\${BACKUP_DIR}/backup_\${TIMESTAMP}.sql"
 # Create backup directory if not exists
-mkdir -p \$BACKUP_DIR
+mkdir -p $BACKUP_DIR
 # Perform backup
-pg_dump \$DATABASE_URL > \$BACKUP_FILE
+pg_dump $DATABASE_URL > $BACKUP_FILE
 # Compress backup
-gzip \$BACKUP_FILE
+gzip $BACKUP_FILE
 # Upload to offsite storage (S3 example)
 aws s3 cp \${BACKUP_FILE}.gz s3://your-backup-bucket/postgresql/
 # Keep only last 30 days of local backups
-find \$BACKUP_DIR -name "backup_*.sql.gz" -mtime +30 -delete
+find $BACKUP_DIR -name "backup_*.sql.gz" -mtime +30 -delete
 echo "Backup completed: \${BACKUP_FILE}.gz"</code></pre>
               </div>
@@ -1929,10 +1935,10 @@ aws s3 cp s3://your-backup-bucket/postgresql/backup_YYYYMMDD.sql.gz .
 gunzip backup_YYYYMMDD.sql.gz
 # Restore to test database
-psql \$TEST_DATABASE_URL < backup_YYYYMMDD.sql
+psql $TEST_DATABASE_URL < backup_YYYYMMDD.sql
 # Verify data integrity
-psql \$TEST_DATABASE_URL -c "SELECT COUNT(*) FROM patients;"</code></pre>
+psql $TEST_DATABASE_URL -c "SELECT COUNT(*) FROM patients;"</code></pre>
               </div>
             </div>
           </div>
@@ -1954,7 +1960,6 @@ psql \$TEST_DATABASE_URL -c "SELECT COUNT(*) FROM patients;"</code></pre>
     `;
     }
     else if (database.includes('mongo')) {
-        dbType = 'mongodb';
         guideContent = `
       <div class="backup-guide-card">
         <div class="backup-guide-header">
@@ -1986,12 +1991,12 @@ psql \$TEST_DATABASE_URL -c "SELECT COUNT(*) FROM patients;"</code></pre>
                 <pre><code>#!/bin/bash
 # MongoDB Backup Script
-TIMESTAMP=\$(date +%Y%m%d_%H%M%S)
+TIMESTAMP=$(date +%Y%m%d_%H%M%S)
 BACKUP_DIR="/path/to/backups"
 BACKUP_NAME="mongodb_backup_\${TIMESTAMP}"
 # Perform backup
-mongodump --uri="\$MONGODB_URI" --out=\${BACKUP_DIR}/\${BACKUP_NAME}
+mongodump --uri="$MONGODB_URI" --out=\${BACKUP_DIR}/\${BACKUP_NAME}
 # Compress
 tar -czf \${BACKUP_DIR}/\${BACKUP_NAME}.tar.gz -C \${BACKUP_DIR} \${BACKUP_NAME}
@@ -2001,7 +2006,7 @@ rm -rf \${BACKUP_DIR}/\${BACKUP_NAME}
 aws s3 cp \${BACKUP_DIR}/\${BACKUP_NAME}.tar.gz s3://your-backup-bucket/mongodb/
 # Cleanup old local backups (keep 7 days)
-find \$BACKUP_DIR -name "mongodb_backup_*.tar.gz" -mtime +7 -delete</code></pre>
+find $BACKUP_DIR -name "mongodb_backup_*.tar.gz" -mtime +7 -delete</code></pre>
               </div>
             </div>
           </div>
@@ -2016,10 +2021,10 @@ aws s3 cp s3://your-backup-bucket/mongodb/mongodb_backup_YYYYMMDD.tar.gz .
 tar -xzf mongodb_backup_YYYYMMDD.tar.gz
 # Restore to test database
-mongorestore --uri="\$TEST_MONGODB_URI" mongodb_backup_YYYYMMDD/
+mongorestore --uri="$TEST_MONGODB_URI" mongodb_backup_YYYYMMDD/
 # Verify collections
-mongo \$TEST_MONGODB_URI --eval "db.getCollectionNames()"</code></pre>
+mongo $TEST_MONGODB_URI --eval "db.getCollectionNames()"</code></pre>
               </div>
             </div>
           </div>
@@ -2028,7 +2033,6 @@ mongo \$TEST_MONGODB_URI --eval "db.getCollectionNames()"</code></pre>
     `;
     }
     else {
-        dbType = 'none';
         guideContent = `
       <div class="backup-guide-card backup-guide-warning">
         <div class="backup-guide-header">
@@ -2171,9 +2175,8 @@ mongo \$TEST_MONGODB_URI --eval "db.getCollectionNames()"</code></pre>
     </div>
   `;
 }
-function renderIncidentResponsePlanHtml(criticalFindings, highFindings) {
+function renderIncidentResponsePlanHtml(criticalFindings, _highFindings) {
     const hasActiveIncident = criticalFindings > 0;
-    const riskLevel = criticalFindings > 0 ? 'HIGH' : highFindings > 0 ? 'MEDIUM' : 'LOW';
     return `
     <div class="incident-response-section">
       <div class="incident-header">
@@ -2598,7 +2601,6 @@ function renderScanComparisonHtml(comparison) {
     const criticalChange = formatChange(severityChanges.critical, true);
     const highChange = formatChange(severityChanges.high, true);
     const mediumChange = formatChange(severityChanges.medium, true);
-    const lowChange = formatChange(severityChanges.low, true);
     // Format previous scan date
     const prevDate = new Date(previousScan.timestamp);
     const formattedDate = prevDate.toLocaleString('en-US', {
@@ -3050,6 +3052,14 @@ function severityBadge(severity) {
 }
 export async function generateReport(result, targetPath, options) {
     const report = buildReport(result, targetPath, options.vulnerabilities);
+    // PDF is binary: generate the buffer and write it directly.
+    if (options.format === 'pdf') {
+        const { buffer } = await generateScanPdf(result, targetPath, { branding: options.branding });
+        const pdfPath = options.outputPath || 'vlayer-report.pdf';
+        await writeFile(pdfPath, buffer);
+        console.log(chalk.green(`\nReport saved to: ${pdfPath}`));
+        return;
+    }
     let content;
     let extension;
     switch (options.format) {